Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks on Virtual Machine Emulators

Published byMadlyn Pierce Modified over 6 years ago

Similar presentations

Presentation on theme: "Attacks on Virtual Machine Emulators"— Presentation transcript:

1 Attacks on Virtual Machine Emulators
Peter Ferrie Senior Principal Researcher Symantec Security Response 5 December 2006

2 A G E N D A Attack Types Types of Virtual Machine Emulators
Detection of Hardware VMEs Detection of Software VMEs What can we do? Q and A 1 2 3 4 5 6

3 Attack Types DETECTION DENIAL-OF-SERVICE ESCAPE!

4 Attack Types : Detection

5 Attack Types : Detection

6 Attack Types : Denial-of-Service

7 Attack Types : Escape!

8 Attack Types : Escape!

9 Types of Virtual Machine Emulators
Hardware-Bound Pure Software Hardware-Assisted Reduced-Privilege Guest

10 Reduced-Privilege Guest VMEs
Software-based virtualization of important data structures and registers Guest runs at lower privilege level than before No way to avoid notification of all CPU events

11 Examples of Reduced-Privilege Guest VMEs
VMware Xen Parallels Virtuozzo (probably)

12 Hardware-Assisted VMEs
Uses CPU-specific instructions to place system into virtual mode Guest privileges unchanged Separate host and guest copies of important data structures and registers Guest copies have no effect on the host Host can request notification of specific CPU events

13 Examples of Hardware-Assisted VMEs
BluePill Vitriol Xen 3.x Virtual Server 2005 Parallels Virtuozzo (probably)

14 Detection of Hardware VMEs : TSC Method
Physical Hardware Virtual Hardware T1……Instruction T1.……..Instruction 1 T1+1...Instruction T1+1…..Instruction 2 T1+2...Instruction T1+2…..[VM fault] T1+N….Instruction 3 where N is a large number

15 Detection of Hardware VMEs : TLB Method
1 T1………read memory 1 T1+X1…read memory 2 T1+X2…read memory 3 T1+X3…read memory 4 FT (Fill Time) = ((T1+X3)-T1)/4 T2………read memory 1 T2+Y1…read memory 2 T2+Y2…read memory 3 T2+Y3…read memory 4 CT (Cached Time) = ((T2+Y3)-T2)/4 2

16 Detection of Hardware VMEs : TLB Method
Execute CPUID T3………read memory 1 T3+Z1…read memory 2 T3+Z2…read memory 3 T3+Z3…read memory 4 DT (Detect Time) = ((T3+Z3)-T3)/4 If DT ~= CT, then physical If DT ~= FT, then virtual 3 4 5

17 Pure Software VMEs CPU operation implemented entirely in software
Emulated CPU does not have to match physical CPU Portable Can optionally support multiple CPU generations Examples Hydra Bochs QEMU

18 Pure Software VMEs (Hybrid model)
Commonly used by anti-virus software Emulates CPU and partial operating system CPU operation implemented entirely in software Examples Atlantis Sandbox

19 Malicious VMEs (SubVirt)
Reduced-privilege guest Installs second operating system Runs on Windows and Linux Carries VirtualPC for Windows Carries VMware for Linux Difficult to detect compromised system

20 Detecting VMware IDT/GDT at high memory address Non-zero LDT
Port 5658h Windows registry Video and ROM BIOS text strings Device names MAC address ranges

21 Detecting VirtualPC IDT/GDT at high memory address Non-zero LDT
0F 3F opcode 0F C7 C8 opcode Overly long instruction Device names

22 Detecting Parallels IDT/GDT at high memory address Non-zero LDT
Device names

23 Detecting Bochs [WB] INVD flushes TLBs REP CMPS/SCAS flags
CPUID processor name CPUID AMD K7 Easter Egg 32-bit ARPL register corruption 16-bit segment wraparound Device names

24 Attacking Bochs Bochs denial-of-service
Floppy with >18 sectors per track Floppy with >512 bytes per sector Non-ring0 SYSENTER CS MSR

25 Detecting Hydra REP MOVS/SCAS integer overflow
16-bit segment wraparound

26 Detecting QEMU CPUID processor name CPUID K7 Easter Egg
CMPXCHG8B memory write Double-faulting CPU

27 Detecting Atlantis and Sandbox
Unimplemented APIs Incorrectly-emulated APIs Example: Beep() in Windows 9x vs Windows NT Unfortunately correct emulation Example: not crashing on corrupted WMFs

28 What can we do? Reduced-privilege guests VirtualPC Bochs, Hydra, QEMU
Nothing VirtualPC Intercept SIDT Check for maximum instruction length Remove custom CPUID processor name Bochs, Hydra, QEMU Bug fixes Full stealth should be possible

29 Questions? Thank you.

Download ppt "Attacks on Virtual Machine Emulators"

Similar presentations

Virtualization Technology

Virtualization Technology
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.

Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.
Attacks on Virtual Machine Emulators Peter Ferrie, Security Architect 4 October, 2007.

Attacks on Virtual Machine Emulators Peter Ferrie, Security Architect 4 October, 2007.
E Virtual Machines Lecture 3 Memory Virtualization

E Virtual Machines Lecture 3 Memory Virtualization
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.

Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
A Brief Introduction To Virtualization Technologies Yin Yunqiao 2007-08-31 HP.

A Brief Introduction To Virtualization Technologies Yin Yunqiao HP.
LINUX Virtualization Running other code under LINUX.

LINUX Virtualization Running other code under LINUX.
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.

Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
CSE 451: Operating Systems Winter 2012 Module 18 Virtual Machines Mark Zbikowski and Gary Kimura.

CSE 451: Operating Systems Winter 2012 Module 18 Virtual Machines Mark Zbikowski and Gary Kimura.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Operating System Virtualization

Operating System Virtualization
CS 149: Operating Systems April 21 Class Meeting

CS 149: Operating Systems April 21 Class Meeting
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
CS533 Concepts of Operating Systems Jonathan Walpole.

CS533 Concepts of Operating Systems Jonathan Walpole.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.

Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.

Similar presentations

Ads by Google